Re: [encoding] "13.2.2 iso-2022-jp encoder" (#15) from t-tera on 2015-12-12 (public-webapps-github@w3.org from December 2015)

From: t-tera <notifications@github.com>
Date: Sat, 12 Dec 2015 02:10:42 -0800
To: whatwg/encoding <encoding@noreply.github.com>
Message-ID: <whatwg/encoding/issues/15/164136167@github.com>

Many ISO-2022-JP decoders seem to ignore 0x0E / 0x0F occurrence.
But IE treats 0x0E in ASCII segment as a starting mark of half-width kana.

&lt;input type="hidden" name="foo" value="[0x0E]">

So, In this case, IE interpret "> occurring after 0x0E as half-width kana, not ASCII. Therefore potential XSS risk exists on IE if an encoder produces an encoded text containing bare 0x0E or 0x0F.

Althoght I don't think the IE's behavior is compliant to the original RFC (RFC 1468) nor other major browsers behave like IE, probably it can be said that the resulting encoded bytes shouldn't contain bare ESC, SI or SO, according to "single-byte-char" definition in the RFC.


---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/encoding/issues/15#issuecomment-164136167

Received on Saturday, 12 December 2015 10:11:11 UTC